Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

A Spam Trinity: Email Harvesters, Botmasters, Spammers

Researchers at the University of California Santa Barbara and Aachen University in Germany examined the relationship between spammers, botmasters and email harvesters in order to improve antispam systems.

A profitable spam campaign has three key elements—a reliable email list, filter-busting content, and a botnet for distribution—and each has been individually dissected and understood. But in order to adequately protect users from spam, which thrives in an established economic ecosystem, researchers decided it was important to understand the relationships between email harvesters, botmasters and spammers.

“This suggests that spammers establish some sort of customer loyalty with harvesters and botmasters, and that this relationship hardly breaks (in the absence of major events, such as botnet takedowns),” wrote researchers Gianluca Stringhini, Oliver Hohlfeldy, Christopher Kruegel, and Giovanni Vigna of the Department of Computer Science, UC Santa Barbara and Aachen University in Germany.

The paper provides a world of direction on how to use the data collected in a series of experiments conducted by the researchers to understand operational relationships and improve detection rates.

“It first helps to estimate the magnitude of the spam problem and can reveal new trends. Second, it allows to identify bottlenecks and critical points in the spamming pipeline; these critical points can be used to develop mitigation techniques to fight such threats,” they wrote.

The researchers sought to understand whether spammers harvest email addresses themselves, or rely on harvesters, for example. Do they rent multiple botnets to send spam, or just one? And how often are email addresses used and are they used in multiple campaigns?

The experiment conducted involved building a spam trap by advertising a large number of email addresses set up for this specific research project. Each of those email addresses was advertised on websites and pointed to the researchers’ mail server. The team logged each time those pages were accessed in order to fingerprint email harvesters for example. They also logged connections made to their mail server; since none of the email addresses were legitimate, they could safely assume that each connection was botnet-generated.

The next step was to apply a technique known as SMTP dialects in order to assess which botnet or server generated each connection, before analyzing the content of spam email messages received by the project’s mail server. Those were grouped by campaign. By comparing the respective datasets, the researchers said they could reach reliable conclusions as to whether a spammer had rented multiple botnets and whether multiple spammers shared the same email list or botnet.

“Our findings suggest that spammers typically rent a single botnet.”

“Our findings suggest that spammers typically rent a single botnet and that a fraction of them set up their own mail transfer agents (MTAs) to spread spam. Another interesting discovery is that spammers tend to stick with a single list of email addresses for long periods of time, even years,” they wrote.

The researchers’ spamtrap caught 75 unique IP addresses, though only four harvested up to 70 percent of the email addresses, which received 74 percent of the total spam. The researchers concluded there were nine email harvesters at play in their dataset, five of whom used a single IP address while others relied on a distributed infrastructure. The SMTP dialects, meanwhile, led them to conclude that three botnets—Cutwail, Lethic and Kelihos—targeted their servers, from varied geographic locations.

“Our observation suggests that the botnet users that sent spam to us purchased their bots in a small number of countries. Other instances (and customers) of the same botnet might show very different country distributions,” the paper said. “The fact that each spammer uses bots located in different countries is consistent with previous work, which showed that the physical location of a bot does not influence the overall spamming performance of the botnet”

The paper points the way for researchers whose aim is to better detection methods for finding spambots in the wild or fingerprinting the email engine used by a particular botnet.

“Since spammers seem to rely on a single botnet at a time, taking down the botnet that they are using can have significant effects on their business,” the paper said. “This observation makes techniques that identify command and control servers particularly important.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.